DE-IBH · PhilippKilian · Jun 16, 2024 · Jun 13, 2024 · Jun 13, 2024 · Jun 16, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # ChangeLog
 
+## 3.2.4 - 2024-06-16
+
+Fixes:
+- fix **security** bug in getRecordings endpoint
+
+This release fixes a security bug that allowed authenticated api requests to manage recordings of any tenants and their secrets.
+
 ## 3.2.3 - 2024-05-28
 
 Fixes:
@@ -16,7 +23,7 @@ Fixes:
 
 Changes:
 - adjust to BBB 2.7.8 API changes 
-  - forbid POST request for `join` endpoint ()
+  - forbid POST request for `join` endpoint
   - adjustments for POST headers are already handled
 - meeting name check:
   - add check for meeting name length for faster response without sending a request to backend systems

diff --git a/b3lb/rest/classes/api.py b/b3lb/rest/classes/api.py
@@ -335,7 +335,7 @@ def allowed_methods(self) -> List[Literal["GET", "POST", "DELETE", "PATCH", "PUT
 
     def filter_recordings(self, meeting_id: str = "", recording_id: str = "") -> QuerySet[Record]:
         if self.state and self.state not in ["unpublished", "published"]:
-            return QuerySet(model=Record)  # return empty QuerySet if state isn't in allowed states
+            return Record.objects.none()  # return empty QuerySet if state isn't in allowed states
 
         query = Q(record_set__secret=self.secret)
 
@@ -344,14 +344,13 @@ def filter_recordings(self, meeting_id: str = "", recording_id: str = "") -> Que
                 UUID(recording_id)
                 query &= Q(uuid=recording_id)
             except ValueError:
-                return QuerySet(model=Record)  # return empty QuerySet for BadRequest
+                return Record.objects.none()  # return empty QuerySet for BadRequest
 
         if meeting_id:
-            try:
-                UUID(meeting_id)
-                query %= Q(record_set__meta_meeting_id=meeting_id)
-            except ValueError:
-                return QuerySet(model=Record)  # return empty QuerySet for BadRequest
+            if 2 <= len(meeting_id) <= cst.MEETING_ID_LENGTH:
+                query &= Q(record_set__meta_meeting_id=meeting_id)
+            else:
+                return Record.objects.none()  # return empty QuerySet for BadRequest
 
         if self.state == "published":
             query &= Q(published=True)